CVE-2023-48396

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue.

CVSS

No CVSS.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/07/30/1
https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw

Configurations

No configuration.

History

30 Jul 2024, 13:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/07/30/1 -
Summary		(es) Vulnerabilidad de autenticación web en Apache SeaTunnel. Dado que la clave jwt está codificada en la aplicación, un atacante puede falsificar cualquier token para iniciar sesión en cualquier usuario. El atacante puede obtener la clave secreta en /seatunnel-server/seatunnel-app/src/main/resources/application.yml y luego crear un token. Este problema afecta a Apache SeaTunnel: 1.0.0. Se recomienda a los usuarios actualizar a la versión 1.0.1, que soluciona el problema.

30 Jul 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-30 09:15

Updated : 2024-07-30 13:32

NVD link : CVE-2023-48396

Mitre link : CVE-2023-48396

CVE.ORG link : CVE-2023-48396

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

JSON object

Attach tags to CVE-2023-48396

Attach tags to `CVE-2023-48396`